diff options
Diffstat (limited to 'meta/recipes-extended/sudo/files/CVE-2021-3156-5.patch')
-rw-r--r-- | meta/recipes-extended/sudo/files/CVE-2021-3156-5.patch | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/meta/recipes-extended/sudo/files/CVE-2021-3156-5.patch b/meta/recipes-extended/sudo/files/CVE-2021-3156-5.patch new file mode 100644 index 0000000000..c04b8e72a6 --- /dev/null +++ b/meta/recipes-extended/sudo/files/CVE-2021-3156-5.patch @@ -0,0 +1,41 @@ +Upstream-Status: Backport [https://www.sudo.ws/repos/sudo/rev/c125fbe68783] +Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> +CVE: CVE-2021-3156 + +# HG changeset patch +# User Todd C. Miller <Todd.Miller@sudo.ws> +# Date 1611416640 25200 +# Node ID c125fbe6878395d10f01d891d3c09b1229ada404 +# Parent 09f98816fc8978f1d8623a857073d2d5746f0379 +Don't assume that argv is allocated as a single flat buffer. +While this is how the kernel behaves it is not a portable assumption. +The assumption may also be violated if getopt_long(3) permutes arguments. +Found by Qualys. + +diff -r 09f98816fc89 -r c125fbe68783 src/parse_args.c +--- a/src/parse_args.c Sat Jan 23 08:44:00 2021 -0700 ++++ b/src/parse_args.c Sat Jan 23 08:44:00 2021 -0700 +@@ -614,16 +614,16 @@ + if (argc != 0) { + /* shell -c "command" */ + char *src, *dst; +- size_t cmnd_size = (size_t) (argv[argc - 1] - argv[0]) + +- strlen(argv[argc - 1]) + 1; ++ size_t size = 0; + +- cmnd = dst = reallocarray(NULL, cmnd_size, 2); +- if (cmnd == NULL) ++ for (av = argv; *av != NULL; av++) ++ size += strlen(*av) + 1; ++ if (size == 0 || (cmnd = reallocarray(NULL, size, 2)) == NULL) + sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory")); + if (!gc_add(GC_PTR, cmnd)) + exit(EXIT_FAILURE); + +- for (av = argv; *av != NULL; av++) { ++ for (dst = cmnd, av = argv; *av != NULL; av++) { + for (src = *av; *src != '\0'; src++) { + /* quote potential meta characters */ + if (!isalnum((unsigned char)*src) && *src != '_' && *src != '-' && *src != '$') + + |